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ALL INFORMATION CONTAINED 

HEREIN 15 UNCLASSIFIED 

DATE 09-25-2012 BY 60324/UC/baw/sab/as 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

’To: Criminal Investigative 

Chicago 
San Francisco 


Date: 04/03/1998 

Attn: NIPC/CIU 

Attn: 288 Supervisor 

Attn: 288 Supervisor 



Title: SOLAR SUNRISE; 

CITA/NIPC 


Synopsis: Information is being forwarded to receiving offices 

regarding captioned matter. 


Details: On 4/3/98, SA 


(KCD), telephonically contacted | __ 

Network and Security Services (MNSS), 1805 E. Walnut Stree t, 


1 Kansas City Division 
] MOREnet 


fax 

on 


Columbia, Missouri 65201, telephone number 

number (573) 884-6673, regarding a fax received from_ 

3/6/98. The fax described an intrusion into a computer at the 
Central Methodist College, cmc2.cmc.edu, which is a downstream 
connection from MNSS. 


bo 
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1 advised t hat someone named 


sent an E-mail message to MNSS with a 
The password fi le was la ter verified as 

claimed he 


password file attached. 

an old password file from cmc2.cmc.edu. __ 

received the password file from an "east coast” hacker who 
claimed to be involved with the compromises of the Pentagon 
servers via the Internet. The hacker sent the password file to 
| | as proof of his hacking ability. 
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To: Criminal Investigative From: 

Re: 288-HQ-1242560, 04/03/1998 



A copy of the aforementioned fax is attached. 

This information is being forwarded to receiving 
offices for whatever action deemed appropriate. 


♦ ♦ 
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March <5,1998 

TO: SA l I 

COMPANY: Federal Bureau of Investigation, Kansas City Field Office 

ADDRESS: 

PHONE: 

FAX: I 


FROM: 

Missouri Research and Education Network b 6 

1805 E. Walnut St b i c 

Columbia, MO 65201 

PHONE: I ~l 

FAX: (573) 884^6673 


MESSAGE: Following is a summary of the current incident we are working on. Feel 

free to contact me with anything you need further on this. I look forward to meeting and 
working with you! 

Best regards; 




Umvcrjiry of Mwouti-Columhia 
em equal opportunity institution 
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JJNIU OF MO-flPG/MORENET 


573 884 6673 P.02/02 


MOREnet Security Services 

Incident Summary: MN#12696 -- 

Tuesday, 3 Mar 98 approx 2241 CST MOREnet received a page from | |atISC A regarding a 

security incident with one of our downstream con nections. | | the MOREnet 

Security Coordinator responded to l \ s call and learned that ho was in 

possession of a password file, reportedly from a computer designated cmc2.crnc.edu 

The computer designated is located at Central Methodist College, connected via MOREnet to the Internet. The 

Intcmic Whols table lists MOREnet as the technical contact, which precipitated|_ 

call to us. 

-1 reported that he received the file from an ‘east coast’ hacker who was claiming to be involved 

with the recent compromises of the Pentagon and other servers via the Internet. He was 
sent the file as verification of the hacker’s abilities. 

After exchanging PGP kevs.l |forwarded the file to us on 4 Mar 98 via el ectronic mail f rom an 

account f I We forwarded the file to l I the system 

administrator at Central Methodist College who confirmed file was indeed the password 
tile from the cmc2.cmc.cdu computer as it appeared in late 1996 or early 1997. Related 
note; we had an incident in November of 1996 wherein the same server was compromised 
and the password file was suspected to have been cracked at that time. 

On 5 Mar 98 at approx 1445 CST .I l at Central Methodi st reported tha t he observed auserlD logged 

into the cmc2.cmc.edu system at IP Address l Ithatwas attempting to install 

COPS, a commonly used UNIX system cracking tool l [ terminated the user 

session, and within a few minu tes noticed th at another userlD logged into the system and 
attempted the same installation. | | noted and reported t o us that the sessions were 

connecting via telnet from a system identified ns( dyn4.k askad!mij.t IP Address 
| lipirmtnat ert the second session, and as of 1630 CST had not 

had further login attempts from outside of the College’s network. 

At approx 1500 CST, MOREnet reported the incident to CERT. CERT’S suggestion was to send email to the 
network provider for kaskomx u with the incident information. CERT requested to be cc’d 
on the email noIc J t f om MOREnet sent this note at approx 1700 CST. 

MOREnet recommended to Central Methodist that the strver be taken off line, have the 

operating system installed from known media and patched to the current levels before_ 

bringing the system back online. MOREnet further blocked the IP address|_at 

the site router, preventing further network traffic to and from the system. 


Nothing Further. 


5 Mar 98 1730CST 


| MOREnet Network and Security Services 
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